[staff] [local-ir@ripe.net]signing the roots
Dear colleagues, At the DNS-WG at the last RIPE meeting (RIPE 44) Johan Ihren presented his proposal for an interim scheme for signing the public DNS root. The current version of this Internet-Draft is: draft-ietf-dnsop-interim-signed-root-01.txt The full text of this Internet-Draft can be found at: http://www.ietf.org/internet-drafts/draft-ietf-dnsop-interim-signed-root-01.... In the Internet-Draft, a mechanism has been proposed for a first stage of a transition from a unsigned DNS root to a signed root, such that the data in the root zone is accompanied by DNSSEC signatures to allow validation. The process of doing this involves the use of a set of operator keys which are signed by one key signing key, sometimes referred to a "master key". It has been further proposed that these key signing keys be managed by the Regional Internet Registries (RIRs). The proposal states the requirements of the RIRs would be to: * establish a secure out-of-band communication path in collaboration with the signing operators which will be used for authenticated exchange of the unsigned keyset. * periodically generate strong keys using a good random number generator * manage their keys (i.e. use them for signing the operator keyset and keeping the private key appropriately secret) Question: Since this Internet-Draft suggests future action by the RIRs, the RIPE community should discuss this issue and provide feedback to the author. Therefore, the following question is asked: Is this a task that should be performed by the RIPE NCC? Please direct your feedback to dns-wg@ripe.net mailing list. Regards, Andrei Robachevsky CTO, RIPE NCC
participants (1)
-
Andrei Robachevsky